The SANS Institute on Monday released its take on the top 10 cybersecurity
threats for 2008. Leading the list is a rise in the number of attacks
on Web browsers, the proliferation of botnets, and sophisticated cyberespionage.
Twelve noted cybersecurity experts -- Stephen Northcutt, Ed Skoudis,
Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz,
Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan
Paller -- helped compile the list. Released in conjunction with the
SANS Security 2008 conference in New Orleans, the list represents
a collective assessment of the online attack vectors most likely to
cause damage in the year ahead.
Attacks on Web browsers, particularly plug-in components like Flash
and QuickTime, represent the top threat. The reason these browser
components are being targeted is that they're widely distributed
and they're not automatically updated when the browser is updated,
leaving a longer window of vulnerability on affected systems. Additionally,
cybercriminals have been automating their attacks so that they check
for a variety of possible vulnerabilities and disguising them so
that each new assay is different from the last. One of the hacking
kits now available to attackers, MPack, "produces a claimed
10% to 25% success rate in exploiting browsers that visit sites
infected with the module," according to the SANS report. Attackers
also have been more successful in placing malicious payloads on
trusted sites, making reputation-based defenses less effective.
The increasing sophistication and effectiveness of botnets -- coordinated
groups of compromised PCs -- takes the second spot on the SANS list.
The Storm Trojan, which began spreading through e-mail in January
2007, was responsible for one out of every 12 computer virus infections
only a week after its release. Both Storm and an upcoming rival,
Nugache, operate through encrypted peer-to-peer channels, which
means there's no central server to shut down and botnet communication
is difficult to block.
Third on the list is cyberespionage. "One of the biggest security
stories of 2007 was disclosure in congressional hearings and by
senior DoD officials of massive penetration of federal agencies
and defense contractors and theft of terabytes of data by the Chinese
and other nation states," the SANS report said. "In 2008,
despite intense scrutiny, these nation-state attacks will expand;
more targets and increased sophistication will mean many successes
for attackers."
Attacks on high-value targets are often conducted through spear-phishing,
in which personalized messages rely on social engineering to trick
recipients into taking some action that compromises their computer
-- opening a file that exploits an undisclosed Microsoft (NSDQ:
MSFT) Office vulnerability, for example.
Threats to mobile phones, particularly to the iPhone, upcoming
Google (NSDQ: GOOG) Android phones, and VoIP systems, rank fourth
on the SANS list. "A truly open mobile platform will usher
in completely unforeseen security nightmares," the SANS report
said. "The developer toolkits provide easy access for hackers."
Apple CEO Steve Jobs on Tuesday is widely expected to provide additional
details about the upcoming Apple iPhone software development kit
(SDK), about how iPhone applications will be made available (presumably
through Apple's iTunes), and about how iPhone applications will
be made secure.
Insider attacks rank fifth on the list. While rogue employees and
contractors have long been a concern of corporate security managers,
the various experts contributing to the SANS report see the risk
posed by malicious insiders rising due to the interconnectedness
of systems today and the rising value of data in general. The flurry
of acquisitions in the data leak prevention space over the past
year suggests that security companies hear worries about this from
corporate clients and are investing accordingly.
|
